Fraud Warnings Complicate Mortgage Lending Process

Increasingly, cybercriminals are spoofing emails in an attempt to trick real estate buyers into wiring funds into the hacker’s account. This fraud trend should put all organizations conducting mortgage loan transactions on alert.

Wire fraud schemes, a typical attack method, have accounted for $5 billion in financial losses to consumers since 2013, according to FBI statistics.

Multiple government agencies and trade associations have issued advisories about the scammers. Recently, the state of New Jersey warned credit unions, banks, mortgage lenders, loan originators, title insurers, real estate agents and consumers about hackers trying to pocket mortgage funds during the home buying process.

Nearly two years ago, the Federal Trade Commission and the National Association of Realtors cautioned about scammers impersonating real estate agents and title insurance companies to steal consumers’ closing outlays. The FTC and NAR issued a stronger consumer advisory last summer that warned of scammers.

Early last year, the American Land Title Association urged the CFPB to warn consumers about the pervasiveness of real estate funds phishing scams. In July 2017, the CFPB published a warning about the wire fraud schemes on its blog. The CFPB wrote, “Scammers attempt to steal the homebuyer’s closing funds – for example, their down payment and closing costs – by sending the homebuyer an email posing as the homebuyer’s real estate agent or settlement agent (title company, escrow officer or attorney).”

First attackers try to steal credentials for the email accounts of entities involved in the mortgage process – real estate firms, brokers, or title or holding companies – using a phishing email with a link to a fake sign-in page, Asaf Cidon, vice president of email security at the Campbell, Calif.-based Barracuda Sentinel, explained. “After stealing the credentials, they use the account to observe all the real estate transactions so they can send spear phishing emails right before the deal is about to close.”

The hacker then sends an email to the buyer, posing as the real estate professional or title company and falsely claiming there has been a last-minute change in the closing process. For example, they’ll say a check is no longer acceptable or the wiring instructions have changed. It then instructs the homebuyer to wire or electronically transmit the closing funds to an account the under the scammer’s control.

This nightmare scenario could have substantial financial consequences for the homebuyer, who might end up losing the house, lots of money, personal information and much more, Cidon pointed out. “It’s one of the best ways for cybercriminals to get a hold of a $100,000 or $200,000 wire transfer.”

All these successful scams share one unfortunate result: The funds diverted through these criminal acts are nearly impossible to recover, New Jersey Department of Banking and Insurance Acting Commissioner Marlene Caride said in the bulletin. “These industries handle millions of dollars in wire transfers every day in connection with mortgage loans, and taking precautions to safeguard these transactions should be a high priority.”

In a report, published last summer, Barracuda Sentinel phishing experts dissected an incident where an attacker attempted to interfere with a mortgage closure. The attack attempt, made at the eleventh hour of a mortgage deal, tried to trick a homebuyer into wiring a payment into the wrong hands.

According to the case study, the buyer received an email from their mortgage company about a bank switch and to follow the updated wiring instructions in the email attachment.

Fortunately, in this instance, the message raised a red flag and the buyer immediately called his mortgage agent to investigate before proceeding. He did everything right to avoid a catastrophe – he questioned the request, identified the spoofed domain and immediately called his mortgage agent to confirm the message was a scam.

There have been many reports of similar incidents in which the phishing victims were not as fortunate, however, like a case of a family living in a city and preparing a move to the suburbs, only to have their $70,000 down payment vanish into the dark web. A week before closing, the family missed a warning from their attorney to ignore any requests about wiring funds.

“Hackers typically crack the password of any number of realtors and then piece together a series of consumer targets who are communicating back and forth with the realtor regarding closing preparation,” John Buzzard, industry fraud specialist for the Rancho Cucamonga, Calif.-based CO-OP Financial Services, said. He added that fraudsters, armed with information derived from the hacked email, proceed to contact the consumer directly with updated wire transfer information. “The criminals take this one step further by calling and confirming the wire information with the consumer, making it incredibly difficult for the consumer to pick up on the anomalous activity.”

So how can credit unions protect against these types of attacks that often catch people off guard?

“First, common sense should prevail here,” Buzzer stated. He suggested lenders provide a client PIN and security phrase as part of the lending process, along with some basic warnings about how and when a request for down payments or other funding sources will develop during the closing.

In addition, Buzzard remarked consumers should receive financial settlement instructions prior to the settlement day and contact the lender about any questionable requests with simple, direct phone calls. Consumers should be fully aware of the expectation for funding and how the process should occur. “If there is a PIN or security phrase added into the authorization layer, the consumer will already be taking the process of communication with extra caution.”

Buzzard also warned, “This is a very stressful period for even the savviest buyer; criminals are relying on this heightened level of stress in order to deploy their scams.”

He also noted that “any request for last minute, high-value money movement should immediately trigger concern for the consumer.” This is especially true when instructions come from unknown persons or by someone other than the lending officer on record.

If a credit union encounters a situation in which a hacker has attempted to intercept a wire transfer or otherwise commit fraud related to a real estate transaction, it should consider making a filing in accordance with the Bank Secrecy Act, Brian Godwin, interim CEO for the Des Moines, Iowa-based PolicyWorks, advised. “BSA rules require credit unions to file a Suspicious Activity Report for any criminal violations exceeding a cumulative total of $5,000 when a suspect can be identified,” In the more likely scenario of the suspect not being identified, the incident requires a SAR for violations totaling $25,000 or more in aggregate.

“Even if the total violation or attempted violation does not exceed these thresholds, the credit union should consider filing a SAR,” Godwin said. A credit union receives protection from liability for filing a SAR in any scenario in which it detects or suspects suspicious activity. “The provided information may help to deter future criminal activities, or better yet, help law enforcement capture these fraudsters, which protects us all.”

Cidon suggested taking a proactive approach to user training as it can be very effective. “Addressing any threat vectors with the proper IT security technologies can significantly lower the risk for an attack as well.”

The New Jersey notice also revealed a new wrinkle in the scams: Use of a phony phone number. Previously, the FTC recommended applicants verify all details of the transaction via a phone call. “But scammers are now deploying phone ‘porting’ technologies to intrude into that safeguarding process, masquerading as a trusted party,” it said.

Other real estate-related schemes have included fake referral emails, overpayment scams, and a home rental or sale con in which scammers download real estate photos online and create their own listings.

Recently, CU Times Executive Editor Michael Ogden shared a personal experience of a home sale that went belly up when a potential buyer produced a phony “Proof of Financing” document purchased online.